Table of Contents  MOBOTIX Online Help

Web Server

Open the Web Server dialog to set the camera's web server options.

For further information on working with certificates, see the Procedures for Using and Creating X.509 Certificates section.

General Interface Setup

Parameter

Description

Port or ports for web server

Per factory default settings, browsers can reach the camera's web server using port 80 (standard port for HTTP requests).

However, if the camera needs to be accessible from the local network (Intranet) and from the Internet, two web server ports can be defined for security reasons, so that local network and Internet access can be clearly separated.

Example 1. Access From the Local Network From the Internet

Within the local network, the camera is accessible via port 80 and can be integrated in a MultiView display, for example. Access from the Internet uses a router connection with a mapped port to the camera. As port 80 is used already on the local network, the router channels access from the Internet to a different camera port (e.g. 8080).

In this case, you would have to enter the values 80 and 8080 for the ports.

Notes

  • Modify these settings only if you are fully aware of the consequences. A single invalid setting may render the camera unreachable!

  • Any modifications of this setting require you to Reboot the camera to become effective.

  • If no ports have been specified, you can reach the camera using the default port 80.

Enable HTTP

Select this setting if you would like to enable unencrypted connections to the camera's web server. In this case, the web server opens the port(s) specified in Port or ports for web server for HTTP requests.

Note

Make sure that at least one of the Enable HTTP and Enable HTTPS options is activated, since the web server of the camera will not accept any connections otherwise.

HTTPS Settings

Parameter

Description

Enable HTTPS

Select this setting if you would like to enable encrypted connections to the camera's web server. In this case, the web server opens the port specified in SSL/TLS port for HTTPS server for HTTPS requests.

Note

Make sure that at least one of the Enable HTTP and Enable HTTPS options is activated, since the web server of the camera will not accept any connections otherwise.

SSL/TLS port for HTTPS server

Specify the TCP port for SSL connections in this field. You can set only one port for HTTPS. If this field is empty and Enable HTTPS is activated, the web server will use port 443 (default) for HTTPS requests.

Download X.509 certificate

This button is only active if the camera contains an individual X.509 certificate. Use this button to download the X.509 certificate and the corresponding private key in PEM format currently used by the camera's web server to your computer.

Download X.509 certificate request

This button is only active if the camera has generated an X.509 certificate request before (see Generate self-signed X.509 certificate and X.509 certificate request). Use this button to download a certificate request in PEM format to your computer, which corresponds to the generated private key. This certificate request can be signed by an external certification authority and the resulting X.509 certificate can be uploaded to the camera (see Replace the X.509 certificate and private key currently used by the camera).

MxWeb Settings

Parameter

Description

Activate MxWeb

Select this option to activate the MxWeb user interface. When rebooting the next time, the camera will start a special web server for MxWeb. This will not interfere with the standard user interface in the browser, which can be used just like before.

Port for the MxWeb HTTP/WS server

Enter the TCP port for the HTTP and WS (Web Socket) connections used by MxWeb. If this field is empty, the web server will use port 8080 for MxWeb HTTP and WS connections.

Port for the MxWeb HTTPS/WS server

Enter the TCP port for the HTTPS and WSS (Secure Web Socket) connections used by MxWeb. If this field is empty, the web server will use port 8081 for MxWeb HTTPS and WSS connections.

Replace the X.509 certificate and private key currently used by the camera

This section contains the information of the certificate currently used by the camera.

Parameter

Description

Issuer

Displays the information of the certifying institution. The encoding of the information corresponds to the fields in the Generate self-signed X.509 certificate and X.509 certificate request section.

Subject

Displays the information of the certified body (e.g. you). The encoding of the information corresponds to the fields in the Generate self-signed X.509 certificate and X.509 certificate request section.

Validity period

Displays the validity period of the currently used certificate.

Replace the X.509 certificate and private key currently used by the camera

Parameter

Description

Delete the X.509 certificate

Deletes the X.509 certificate and corresponding private key currently used by the camera. After rebooting the camera, it will use its factory-supplied self-signed X.509 certificate again (factory default).

Upload the X.509 certificate and private key

Replaces the X.509 certificate and corresponding private key currently used by the camera. This X.509 certificate and the corresponding private key have to be created and signed by an external certification authority.

Upload X.509 certificate

Replaces the currently used X.509 certificate while keeping the currently used private key. Use this function to upload a X.509 certificate that has been generated from a previously created certificate request (see Generate self-signed X.509 certificate and X.509 certificate request).

Generate

Creates a new, self-signed X.509 certificate, the corresponding private key and a certificate request according to the information entered in the Generate self-signed X.509 certificate and X.509 certificate request section.

Upload X.509 certificate from file

In order to upload a X.509 certificate, enter the file name of the certificate file (in PEM format) on your computer. If you would like to upload a X.509 certificate and the corresponding private key stored in one file, you can enter the file name to the file in this field.

Upload X.509 private key from file

In order to upload the corresponding private key for a X.509 certificate, enter the file name of the file (in PEM format) on your computer. If you would like to upload a X.509 certificate and the corresponding private key stored in one file, you can enter the file name to the file in this field.

Passphrase

Enter the passphrase if the private key has been encrypted with a passphrase.

Generate self-signed X.509 certificate and X.509 certificate request

The fields of the form correspond to the fields of a X.509 certificate.

Parameter

Abbreviation

Description

Common name

CN

This is the only required information in this section of the dialog. Enter the complete DNS name (Fully Qualified Domain Name) of this camera. It is also possible to enter an IP address, but this is not recommended. Make sure that this field really matches the DNS name, which you use in a web browser to access the camera since the certificate would be invalid otherwise.

Country

C

Nationality of the certificate owner (optional).

State or province

ST

State/province of the certificate owner (optional).

Locality

L

City/location of the certificate owner (optional).

Organization

O

Company, organization, etc. of the certificate owner (optional).

Organizational unit

OU

Department/work group of the certificate owner (optional).

Email address

Email address of the certificate owner (included in CN, optional).

Note

If an external certification authority should sign the certificate request generated using this function, make sure that you follow the guidelines of the certification authority on the optional and required fields and not the recommendations of this form. The self-signed X.509 certificate has a validity period of 10 years. The key pair is 2048 bits long.

Procedures for Using and Creating X.509 Certificates

HTTPS with SSL/TLS is not Being Used

The X.509 certificates used in this dialog do not affect other areas of the camera and will be ignored if HTTPS with SSL/TLS has not been activated.

HTTPS with the Factory Default X.509 Certificate

As soon as HTTPS has been activated and the camera has been rebooted, you can use HTTPS. The camera will then use its factory-supplied, self-signed X.509 certificate that is identical for all MOBOTIX cameras. This certificate will not offer much security as it cannot guarantee the authenticity of the camera. This would allow a potential attacker to manipulate the data stream even though the camera uses a high-performance encryption scheme ("Man-in-the-middle" attack).

HTTPS with an Individual, Self-Certified X.509 Certificate

In the section Replace the X.509 certificate and private key currently used by the camera, click on Generate and and enter the appropriate information in section Generate self-signed X.509 certificate and X.509 certificate request. Next, click on the Set button. The camera will generate an individual, self-signed X.509 certificate (this may take some time). The certificate request created at the same time will not be used. After rebooting the camera, it will use the new self-signed X.509 certificate.

Note

Make sure that you save the changes permanently before rebooting the camera (click Set, click on Close and approve the prompt).

When first accessing the camera after the reboot, your web browser will tell you that it cannot verify the certificate and will ask you, if you would like to accept the certificate anyway. The next step is relevant for security: Make sure that you only accept the certificate if you are absolutely sure that you are actually connected to the certified camera (e.g. by directly connecting the camera to the computer using a crossover cable). Note that you will have to accept the certificate for each accessed camera. This certificate is sufficient for securing the data transmission, but it is not the optimum yet. The authenticity of the camera can only be verified if the certificate of the camera is known beforehand.

HTTPS with an Individual, Externally Certified X.509 Certificate

Option 1: You can upload an X.509 certificate and the private key to the camera. To do so, use the function Upload the X.509 certificate and private key in the section Replace the X.509 certificate and private key currently used by the camera. You can purchase an X.509 certificate and private key from an external authority or you can run your own certification authority, e.g. by using OpenSSL. In this case, it is not required to generate a certificate request beforehand. A certificate request already present in the camera will be deleted upon executing this function. Every camera requires an individual certificate from the certification authority.

Option 2: Create a certificate request on the camera. The certificate request will be created together with the self-signed X.509 certificate (see HTTPS with an Individual, Self-Certified X.509 Certificate). As soon as the camera has created the certificate request, you can download this file in the Web Server section by clicking on the Download button next to Download X.509 certificate request. Send this certificate request file to the certification authority for signing. Until you receive the X.509 certificate from the certification authority, the camera will use its self-signed X.509 certificate.

Upload the X.509 certificate signed by the certification authority using Upload X.509 certificate from file in the section Replace the X.509 certificate and private key currently used by the camera to the camera you would like to certify. This option has the advantage that the private key does not leave the camera, again enhancing its trustworthiness. Every camera requires an individual certificate from the certification authority. The certificate request, the certificate and the private key belong together. It is not possible to upload a certificate into a camera that matches the certificate request created by a different camera.

Such a certificate guarantees the optimum security for data transmission, since the camera's authenticity can be verified against the root certificate of the certification authority. "Man-in-the-middle" attacks are not possible any more. Moreover, it is not necessary to download the certificate of every camera as is the case with the self-signed X.509 certificate. All you need to do is to import the root certificate of the certification authority into the browser, once. The root certificates of commercial certification authorities are usually already present in modern browsers.

Intrusion Detection Settings

Parameter

Description

Enable intrusion detection

This setting provides an automatic defense against attacks. If an intruder should try to access the camera using "brute force" methods to guess user names and passwords, the camera send an alert and can automatically lock out the offending IP address after a certain number of failed attempts, if required.

Notification threshold

The Notification threshold controls the number of allowed failed attempts when trying to establish a connection to the camera (minimum value is 5). The alert will be sent off, if this number is exceeded.

Caution

Even if a user with valid credentials accesses the camera for the first time, this causes a failed attempt. The browser on the user's computer needs this first failed attempt to recognize that this website need authentication credentials, prompting the browser to show its user name/password dialog. This weakness of the HTTP protocol is "by design" and hence unavoidable.

Timeout

Successive attempts of a user when trying to access a URL will be combined to one entry in the Web Server Logfile. This entry only contains information on when the user accessed the camera and how many access attempts of this user have been recorded during the specified time span. If a user accesses the camera again within the time span specified in Timeout after the last access, this additional access will be added to the existing entry in the Web Server Logfile (increase access counter by one, update date and time of the last access).

If the new access of a user occurs after the time span specified in Timeout, this access creates a new entry in the Web Server Logfile. This procedure will be applied to all authorized and unauthorized accesses.

A Timeout value of a few minutes will make distinguishing the individual access attempts easier. On the other hand, this will also increase the possibility of false alarms, since a successful access attempt cannot be added to a preceding failed attempt. The default value is 60 minutes, which is a good compromise.

Dead time

The Deadtime controls the minimum time between two successive alert notifications. Once a notification has been sent, a new notification will only be sent if the deadtime has expired and the number of failed attempts has again exceeded the notification threshold. The default value is 60 minutes. Setting this parameter to 0 will prompt the camera to send a notification on every access attempt.

Block IP Address

If IP-Level Access Control has been set up, the camera can use the Block IP Address feature to automatically block the IP address from which the unsuccessful logins had been attempted. This lock will be triggered if the Notification Threshold is reached; it is temporary and will be lifted upon the next reboot of the camera.

Note

If an IP address has been granted access in the IP-Level Access Control dialog, this IP address cannot be locked automatically. If you would like to activate the automatic locking of any IP address, you should delete all Allow access rules in the IP-Level Access Control dialog.

Email Notification

Sends an email according to the address and login information specified in the selected email profile.

Note

When sending an email notification, the camera will always append the Web Server Logfile as an attachment, independent from the attachment specified in the email profile.

Phone Call

Places a phone call according to the options specified in the selected phone profile.

Network Message

Sends an IP Notify (network) message according to the address and login information specified in the selected IP Notify profile.

Remark

The alerts triggered by Intrusion Detection are independent of the other alerting mechanisms and the event storage of the camera. If an alert triggered by Intrusion Detection should appear in the event storage for camera images, you should proceed as follows:

  • Create a IP Notify alert from the camera to itself (new profile in the IP Notify Profiles dialog to itself, e.g. by using 127.0.0.1:8000 as the Destination Address).

  • In the Event Settings dialog, activate and configure the IP Receive (RC) event accordingly.


Storing the Configuration

Click on the Set button to activate your settings and to save them until the next reboot of the camera.

Click on the Factory button to load the factory defaults for this dialog (this button may not be present in all dialogs).

Click on the Restore button to undo your most recent changes that have not been stored in the camera permanently.

Click on the Close button to close the dialog. While closing the dialog, the system checks the entire configuration for changes. If changes are detected, you will be asked if you would like to store the entire configuration permanently.


© 2001-2018 MOBOTIX, · http://www.mobotix.com/